malwarewikiaorg-20200223-history
NRansom
NRansom is a ransomware virus that has been first detected in 2017 by malware researchers. NRansom is different from other ransomware. It doesn't ask for a ransom, it ask for nudes. NRansom is more of a locker than it is a ransomware. Payload Transmission Its payload is being distributed as a Hide My Ass VPN software via spam, exploit kits and similar means. Infection When executed, it extracts a Visual Basic program called nRansom.exe, some supporting DLLs, and a MP3 called your-mom-gay.mp3 (which is the song Frolic that is most known for being the theme music to the Curb Your Enthusiasm show), to a random named folder in the %Temp% folder. Once the files are extracted, the launcher will execute the nRansom.exe program. Once nRansom.exe is run, it will display a lock screen with a tiled Thomas & Friends background that asks for nude pics and then plays the your-mom-gay.mp3 MP3, which is the song Frolic that is most known for being the theme music to the Curb Your Enthusiasm show. This lock screen will tell the victim to send 10 nude pictures to the email address 1_kill_yourself_1@protonmail.com, which has already been disabled by Protonmail. The message Reads: go to protonmail.com and create an account. Send an email to 1_kill_yourself_1@protonmail.com. We will not respond immediatly. After we reply, you must send at least 10 nude pictures of you. After that we will have to verify that the nudes belong to you. Once you are verified, we will give you your unlock code and sell your nudes on the deep web Variants NRansom Reborn: This variant is similar to the original but instead of sending 10 nudes, it asks for 15 nude photos. It also has a image of Barney the dinosaur with yellow text saying "hitler did nothing wrong" It displays this message: NRANSOM REBORN I have finally awaken Your computer has been locked. Don’t worry; your files are safely and easily accessible by closing this window. But how do you close this window? The button at the bottom will close this window. However, it will only close if you have the unlock code. Getting the unlock code is easy. Go to protonmail and send an email to me. My address is die_yourself@protonmail.com Send me 15 of your nudes and then I will give you the unlock code. The code goes here –> NRansom: This variant ask for 20 nude photo and video of the user killing 10 innocent people. This variant also uses a thomas image, but it has text saying "IM GOING TO RAPE YOU" The message says: Your computer has been locked and your files will be encrypted if you do not follow the instructions to get the code to unlock the machine. There is only one way to receive the unlock code. You must go to www.mail.india.com and create an account. Send an email to 2_kill_yourself@india.com We will not reply immediately. When we reply. Send at least 20 nude pictures of you. After that, I want you to record a video of you murdering 10 innocent people. Send that to me. Once we verify you, we will give you your numerical unlock code. IF YOU DO NOT UNLOCK THE MACHINE IN 5 HOURS WE WILL ENCRYPT YOUR FILES AND THEY WILL BE UNLOCKABLE FOREVER. THE VERIFICATION WILL ONLY WORK IF YOU OPEN BOOBS AND VAGENE !!! Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Microsoft Windows Category:Trojan Category:Win32 trojan Category:Virus Category:Win32 virus